#!/bin/sh

#
# Test that signing firmware does the expected thing
#

. "$(cd "$(dirname "$0")" && pwd)/common.sh"

cat >$CONFIG <<EOF
file-resource TEST {
	host-path = "${TESTFILE_1K}"
}

task complete {
	on-resource TEST { raw_write(0) }
}
EOF

# Create several new key pairs
cd $WORK
$FWUP_CREATE -g
mv fwup-key.priv fwup-key1.priv
mv fwup-key.pub  fwup-key1.pub
$FWUP_CREATE -g
mv fwup-key.priv fwup-key2.priv
mv fwup-key.pub  fwup-key2.pub
$FWUP_CREATE -g
mv fwup-key.priv fwup-key3.priv
mv fwup-key.pub  fwup-key3.pub
cd -

KEY1=$(cat $WORK/fwup-key1.pub)
KEY2=$(cat $WORK/fwup-key2.pub)
KEY3=$(cat $WORK/fwup-key3.pub)

expect_fail() {
    if eval $*; then
        echo "Expected this to fail: $*"
        exit 1
    fi
}

# Sign the firmware with each key
$FWUP_CREATE -s $WORK/fwup-key1.priv -c -f $CONFIG -o $FWFILE.1
$FWUP_CREATE -s $WORK/fwup-key2.priv -c -f $CONFIG -o $FWFILE.2
$FWUP_CREATE -s $WORK/fwup-key3.priv -c -f $CONFIG -o $FWFILE.3

#
# Pass the file
#

# Check that applying the firmware with checking signatures works
$FWUP_APPLY -q -p $WORK/fwup-key1.pub -p $WORK/fwup-key2.pub -p $WORK/fwup-key3.pub -a -d $IMGFILE -i $FWFILE.1 -t complete
$FWUP_APPLY -q -p $WORK/fwup-key1.pub -p $WORK/fwup-key2.pub -p $WORK/fwup-key3.pub -a -d $IMGFILE -i $FWFILE.2 -t complete
$FWUP_APPLY -q -p $WORK/fwup-key1.pub -p $WORK/fwup-key2.pub -p $WORK/fwup-key3.pub -a -d $IMGFILE -i $FWFILE.3 -t complete

# Check that verifying the firmware with checking signatures works
$FWUP_VERIFY -V -p $WORK/fwup-key1.pub -p $WORK/fwup-key2.pub -p $WORK/fwup-key3.pub -i $FWFILE.1
$FWUP_VERIFY -V -p $WORK/fwup-key1.pub -p $WORK/fwup-key2.pub -p $WORK/fwup-key3.pub -i $FWFILE.2
$FWUP_VERIFY -V -p $WORK/fwup-key1.pub -p $WORK/fwup-key2.pub -p $WORK/fwup-key3.pub -i $FWFILE.3

# Check that listing metadata with checking signatures works
$FWUP_VERIFY -m -p $WORK/fwup-key1.pub -p $WORK/fwup-key2.pub -p $WORK/fwup-key3.pub -i $FWFILE.1
$FWUP_VERIFY -m -p $WORK/fwup-key1.pub -p $WORK/fwup-key2.pub -p $WORK/fwup-key3.pub -i $FWFILE.2
$FWUP_VERIFY -m -p $WORK/fwup-key1.pub -p $WORK/fwup-key2.pub -p $WORK/fwup-key3.pub -i $FWFILE.3

# Check that listing tasks with checking signatures works
$FWUP_VERIFY -l -p $WORK/fwup-key1.pub -p $WORK/fwup-key2.pub -p $WORK/fwup-key3.pub -i $FWFILE.1
$FWUP_VERIFY -l -p $WORK/fwup-key1.pub -p $WORK/fwup-key2.pub -p $WORK/fwup-key3.pub -i $FWFILE.2
$FWUP_VERIFY -l -p $WORK/fwup-key1.pub -p $WORK/fwup-key2.pub -p $WORK/fwup-key3.pub -i $FWFILE.3

# Sanity check that bad signatures still fail
expect_fail $FWUP_VERIFY -V  -p $WORK/fwup-key2.pub -p $WORK/fwup-key3.pub -i $FWFILE.1
expect_fail $FWUP_VERIFY -V  -p $WORK/fwup-key1.pub -p $WORK/fwup-key3.pub -i $FWFILE.2
expect_fail $FWUP_VERIFY -V  -p $WORK/fwup-key1.pub -p $WORK/fwup-key2.pub -i $FWFILE.3

expect_fail $FWUP_VERIFY -m  -p $WORK/fwup-key2.pub -p $WORK/fwup-key3.pub -i $FWFILE.1
expect_fail $FWUP_VERIFY -m  -p $WORK/fwup-key1.pub -p $WORK/fwup-key3.pub -i $FWFILE.2
expect_fail $FWUP_VERIFY -m  -p $WORK/fwup-key1.pub -p $WORK/fwup-key2.pub -i $FWFILE.3

expect_fail $FWUP_VERIFY -l  -p $WORK/fwup-key2.pub -p $WORK/fwup-key3.pub -i $FWFILE.1
expect_fail $FWUP_VERIFY -l  -p $WORK/fwup-key1.pub -p $WORK/fwup-key3.pub -i $FWFILE.2
expect_fail $FWUP_VERIFY -l  -p $WORK/fwup-key1.pub -p $WORK/fwup-key2.pub -i $FWFILE.3

expect_fail $FWUP_APPLY -q -p $WORK/fwup-key2.pub -p $WORK/fwup-key3.pub -a -d $IMGFILE -i $FWFILE.1 -t complete
expect_fail $FWUP_APPLY -q -p $WORK/fwup-key1.pub -p $WORK/fwup-key3.pub -a -d $IMGFILE -i $FWFILE.2 -t complete
expect_fail $FWUP_APPLY -q -p $WORK/fwup-key1.pub -p $WORK/fwup-key2.pub -a -d $IMGFILE -i $FWFILE.3 -t complete

#
# Pass the key
#

# Check that applying the firmware with checking signatures works
$FWUP_APPLY -q --public-key "$KEY1" --public-key "$KEY2" --public-key "$KEY3" -a -d $IMGFILE -i $FWFILE.1 -t complete
$FWUP_APPLY -q --public-key "$KEY1" --public-key "$KEY2" --public-key "$KEY3" -a -d $IMGFILE -i $FWFILE.2 -t complete
$FWUP_APPLY -q --public-key "$KEY1" --public-key "$KEY2" --public-key "$KEY3" -a -d $IMGFILE -i $FWFILE.3 -t complete

# Check that verifying the firmware with checking signatures works
$FWUP_VERIFY -V --public-key "$KEY1" --public-key "$KEY2" --public-key "$KEY3" -i $FWFILE.1
$FWUP_VERIFY -V --public-key "$KEY1" --public-key "$KEY2" --public-key "$KEY3" -i $FWFILE.2
$FWUP_VERIFY -V --public-key "$KEY1" --public-key "$KEY2" --public-key "$KEY3" -i $FWFILE.3

# Check that listing metadata with checking signatures works
$FWUP_VERIFY -m --public-key "$KEY1" --public-key "$KEY2" --public-key "$KEY3" -i $FWFILE.1
$FWUP_VERIFY -m --public-key "$KEY1" --public-key "$KEY2" --public-key "$KEY3" -i $FWFILE.2
$FWUP_VERIFY -m --public-key "$KEY1" --public-key "$KEY2" --public-key "$KEY3" -i $FWFILE.3

# Check that listing tasks with checking signatures works
$FWUP_VERIFY -l --public-key "$KEY1" --public-key "$KEY2" --public-key "$KEY3" -i $FWFILE.1
$FWUP_VERIFY -l --public-key "$KEY1" --public-key "$KEY2" --public-key "$KEY3" -i $FWFILE.2
$FWUP_VERIFY -l --public-key "$KEY1" --public-key "$KEY2" --public-key "$KEY3" -i $FWFILE.3

# Sanity check that bad signatures still fail
expect_fail $FWUP_VERIFY -V  --public-key "$KEY2" --public-key "$KEY3" -i $FWFILE.1
expect_fail $FWUP_VERIFY -V  --public-key "$KEY1" --public-key "$KEY3" -i $FWFILE.2
expect_fail $FWUP_VERIFY -V  --public-key "$KEY1" --public-key "$KEY2" -i $FWFILE.3

expect_fail $FWUP_VERIFY -m  --public-key "$KEY2" --public-key "$KEY3" -i $FWFILE.1
expect_fail $FWUP_VERIFY -m  --public-key "$KEY1" --public-key "$KEY3" -i $FWFILE.2
expect_fail $FWUP_VERIFY -m  --public-key "$KEY1" --public-key "$KEY2" -i $FWFILE.3

expect_fail $FWUP_VERIFY -l  --public-key "$KEY2" --public-key "$KEY3" -i $FWFILE.1
expect_fail $FWUP_VERIFY -l  --public-key "$KEY1" --public-key "$KEY3" -i $FWFILE.2
expect_fail $FWUP_VERIFY -l  --public-key "$KEY1" --public-key "$KEY2" -i $FWFILE.3

expect_fail $FWUP_APPLY -q --public-key "$KEY2" --public-key "$KEY3" -a -d $IMGFILE -i $FWFILE.1 -t complete
expect_fail $FWUP_APPLY -q --public-key "$KEY1" --public-key "$KEY3" -a -d $IMGFILE -i $FWFILE.2 -t complete
expect_fail $FWUP_APPLY -q --public-key "$KEY1" --public-key "$KEY2" -a -d $IMGFILE -i $FWFILE.3 -t complete
